XSS Vulnerability Fix!

  • shovel

    (@shovel)


    19 years ago

    I am the master, and the commander. lol
    But anyways. First off, My Introduction.

    My name is Anthony White. I’m an independent software engineer from South Carolina, USA. I’m also a former intern for SCEA. I’ve just downloaded WordPress “Strayhorn” v1.5.2, as of yesterday. Since then, I’ve already discovered and fixed an extremely important vulnerability!

    I discovered on December 3rd, 2005, an XSS vulnerability located in the classes.php file located in sub-dir ‘wp-includes’. The var it affects is $q[‘s’] used for the Search functionality. The programming does NOT properly remove dangerous ASCII and HEX values that can be used in a malicious manner in an event of an XSS (cross site scripting) attack.

    I have already developed a STABLE fix for this feature. Please, do yourself a favor, users. FIX IT!

    [Moderated and code removed so it cannot be used irresponsibly. Anthony – thank you for the information. It has been passed to those that need it – Podz]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Kafkaesqui

    (@kafkaesqui)

    Hey Anthony? A master/commander would typically contact the developers first about a suspected security issue (and fix) before broadcasting to the public what it is and how one might take advantage of it:

    https://www.ads-software.com/about/contact/

    Just saying…

    Thread Starter shovel

    (@shovel)

    It’s been contributed. The fix is for public knowledge considering it would have already been announced after the developers figured it out. And please don’t critque me. I could’ve not had made the fix at all. And maybe you should be generous instead of skeptical. Thanks.

    vkaryl

    (@vkaryl)

    All security oriented info should go direct to security*at*wordpress*dot*org. Please send this info on to that address. No security info or “fixes” should be released here until the appropriate folks have been notified.

    Closing topic.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘XSS Vulnerability Fix!’ is closed to new replies.